MS_Active_Directory.ppt
- 1. Module 1: Introduction to Active Directory
- 2. Overview Introduction to Active Directory Active Directory Logical Structure Role of DNS in Active Directory Active Directory Physical Structure Methods for Administering a Windows 2000 Network
- 3. Introduction to Active Directory What Is Active Directory? Active Directory Objects Active Directory Schema Lightweight Directory Access Protocol (LDAP)
- 4. What Is Active Directory? Directory Service Functionality Organize Manage Control Resources Centralized Management Single point of administration Full user access to directory resources by a single logon
- 5. Active Directory Objects Objects Represent Network Resources Attributes Store Information About an Object Attributes First Name Last Name Logon Name Attributes Printer Name Printer Location Active Directory Printers Printer1 Printer2 Suzan Fine Users Don Hall Attribute Value Objects Printers Users Printer3
- 6. Active Directory Schema Objects Class Examples Printers Computers Users Attributes of Users Might Contain: accountExpires department distinguishedName middleName List of Attributes accountExpires department distinguishedName directReports dNSHostName operatingSystem repsFrom repsTo middleName … Attribute Examples Active Directory Schema Is: Dynamically Available Dynamically Updateable Protected by DACLs
- 7. DNS and Active Directory Namespaces microsoft.com sales. microsoft.com training. microsoft.com training microsoft DNS Namespace Active Directory Namespace = DNS node (domain or computer) = Active Directory domain sales computer1 (DNS root domain) “.” com. Internet
- 8. Lightweight Directory Access Protocol (LDAP) LDAP Provides a Way to Communicate with Active Directory by Specifying Unique Naming Paths for Each Object in the Directory LDAP Naming Paths Include: Distinguished names Relative distinguished names CN=Suzan Fine,OU=Sales,DC=contoso,DC=msft Suzan Fine
- 9. Active Directory Logical Structure Domains Organizational Units Trees and Forests Global Catalog
- 10. Domains A Domain Is a Security Boundary A domain administrator can administer only within the domain, unless explicitly granted administration rights in other domains A Domain Is a Unit of Replication Domain controllers in a domain participate in replication and contain a complete copy of the directory information for their domain Windows 2000 Replication
- 11. Organizational Units Organizational Structure Sales Vancouver Repair Users Sales Computers Network Administrative Model Use OUs to Group Objects into a Logical Hierarchy That Best Suits the Needs of Your Organization Delegate Administrative Control over the Objects Within an OU by Assigning Specific Permissions to Users and Groups
- 12. Trees and Forests contoso.msft au. contoso.msft asia. contoso.msft Tree Two-Way Transitive Trusts au. nwtraders.msft asia. nwtraders.msft nwtraders.msft Forest Tree Two-Way Transitive Trust
- 13. Global Catalog Global Catalog Server Global Catalog Subset of the Attributes of All Objects Domain Domain Domain Domain Domain Domain Queries Group membership when user logs on
- 14. Introduction to the Role of DNS in Active Directory Name Resolution DNS translates computer names to IP addresses Computers use DNS to locate each other on the network Naming Convention for Windows 2000 Domains Windows 2000 uses DNS naming standards for domain names DNS domains and Active Directory domains share a common hierarchical naming structure Locating the Physical Components of Active Directory DNS identifies domain controllers by the services they provide Computers use DNS to locate domain controllers and global catalog servers
- 15. DNS Host Names and Windows 2000 Computer Names DNS host record and Active Directory object represent the same physical computer DNS allows computers to locate domain controllers within Active Directory Active Directory training.microsoft.com Builtin Computers Computer1 Computer2 “.” com. sales training computer1 microsoft FQDN = computer1.training.microsoft.com Windows 2000 Computer Name = Computer1
- 16. DNS Requirements for Active Directory DNS Requirements to Support Active Directory Support for SRV records (mandatory) Support for the dynamic update protocol (recommended) Support for incremental zone transfers (recommended)
- 17. What Is a Tree? Parent Domain Child Domain Contiguous Namespace sales.contoso.msft Parent Child New Domain Tree Root Domain contoso.msft sales.contoso.msft
- 18. What Is a Forest? nwtraders.msft marketing. nwtraders.msft sales. nwtraders.msft contoso.msft sales. contoso.msft All of The Domains in a Forest Share a Common Configuration, Schema, and Global Catalog A Forest is One or More Trees Trees in a Forest Do Not Share a Contiguous Namespace Forest Tree Tree
- 19. What Is the Forest Root Domain? The Forest Root Domain Is the First Domain Created in a Forest contoso.msft Forest Forest Root Domain nwtraders.msft Tree Tree Root Domain Global Catalog Configuration and Schema Enterprise Admins Schema Admins marketing.nwtraders.msft sales.contoso.msft Tree
- 20. Characteristics of Multiple Domains Reduce Replication Traffic Maintain Separate and Distinct Security Policies Between Domains Preserve the Domain Structure of Earlier Versions of Windows NT Separate Administrative Control
- 21. Active Directory Physical Structure Domain Controllers Sites
- 22. Domain Controllers Domain Controller Domain Controller Domain Replication = A Writeable Copy of the Active Directory Database Domain Controllers: Participate in Active Directory replication Perform single master operations roles in a domain
- 23. Sites Sites: Optimize replication traffic Enable users to log on to a domain controller by using a reliable, high-speed connection Site IP subnet IP subnet Los Angeles Seattle Chicago New York
- 24. Introduction to Active Directory Replication Replication Domain Controller B Domain Controller C Domain Controller A Multimaster Replication with a Loose Convergence
- 25. Replication Components and Processes How Replication Works Replication Latency Resolving Replication Conflicts Optimizing Replication
- 26. How Replication Works Replication Originating Update Domain Controller A Domain Controller B Domain Controller C Replicated Update Replicated Update Active Directory Update Move Delete Add Modify
- 27. Replication Latency Replication Originating Update Domain Controller A Change Notification Change Notification Domain Controller C Domain Controller B Replicated Update Replicated Update Default Replication Latency (Change Notification) = 5 minutes When No Changes, Scheduled Replication = One Hour Urgent Replication = Immediate Change Notification
- 28. Resolving Replication Conflicts Domain Controller A Originating Update Domain Controller B Conflict Originating Update Stamp Stamp Conflict Version Number Timestamp Server GUID Stamp Conflicts Can Be Due to: Attribute Value Adding/Moving Under a Deleted Container Object or the Deletion of a Container Object Sibling Name
- 29. Replication Topology Directory Partitions What Is Replication Topology? Global Catalog and Replication of Partitions
- 30. Directory Partitions Domain Forest Directory Partitions Active Directory Database contoso.msft Configuration Schema Holds information about all domain-specific objects created in Active Directory Contains information about Active Directory structure Contains definitions and rules for creating and manipulating all objects and attributes
- 31. B2 A2 A1 B1 B3 A4 A3 Domain Controllers from Different Domains Domain A Topology Domain B Topology Schema/Configuration Topology A2 A1 A4 A3 Domain Controllers from the Same Domains Domain A Topology Schema/Configuration Topology What Is Replication Topology?
- 32. A2 A1 A4 A3 Domain Controllers from the Same Domains Domain A Topology Schema/Configuration Topology B2 A2 A1 B1 B3 A4 A3 Domain Controllers from Different Domains Domain A Topology Domain B Topology Schema/Configuration Topology What Is Replication Topology?
- 33. Partial Directory Partition Replica Global Catalog Server contoso.msft Configuration Schema Holds read only copy of all domain directory partitions namerica.contoso.msft Global Catalog and Replication of Partitions
- 34. B2 A2 A1 B1 B3 A4 A3 Domain A Topology Domain B Topology Schema/Configuration Topology Global Catalog and Replication of Partitions
- 35. Methods for Administering a Windows 2000 Network Using Active Directory for Centralized Management Managing the User Environment Delegating Administrative Control
- 36. Using Active Directory for Centralized Management OU1 Domain Computers Users OU2 Users Printers Computer1 User1 Printer1 User2 Domain OU2 OU1 User1 Computer1 Printer1 User2 Search Active Directory: Enables a single administrator to centrally manage resources Allows administrators to easily locate information Allows administrators to group objects into OUs Uses Group Policy to specify policy-based settings
- 37. Managing the User Environment Use Group Policy to: Control and lock down what users can do Centrally manage software installation, repairs, updates, and removal Configure user data to follow users whether they are online or offline Windows 2000 Enforces Continually Apply Group Policy Once 1 2 3 Domain OU1 OU2 OU3 1 2 3
- 38. Delegating Administrative Control Assign Permissions: For specific OUs to other administrators To modify specific attributes of an object in a single OU To perform the same task in all OUs Customize Administrative Tools to: Map to delegated administrative tasks Simplify interface design Domain Admin1 Admin2 Admin3 OU2 OU3 OU1
- 39. Review Introduction to Active Directory Active Directory Logical Structure Role of DNS in Active Directory Active Directory Physical Structure Methods for Administering a Windows 2000 Network